From 950e035f04839fde53629e413c906c449f9bdcc7 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Fri, 19 Jan 2024 00:12:16 -0800 Subject: [PATCH] UBUNTU: SAUCE: apparmor4.0.0 [77/90]: apparmor: ensure labels with more than one entry have correct flags BugLink: http://bugs.launchpad.net/bugs/2028253 labels containing more than one entry need to accumulate flag info from profiles that the label is constructed from. This is done correctly for labels created by a merge but is not being done for labels created by an update or directly created via a parse. This technically is a bug fix, however the effect in current code is to cause early unconfined bail out to not happen (ie. its slower) on labels that were created via update or a parse. Signed-off-by: John Johansen (cherry picked from commit 057bf67d3bd3cd439d9917c94ed1dc146e6ff91a https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next) Signed-off-by: Paolo Pisati --- security/apparmor/label.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/apparmor/label.c b/security/apparmor/label.c index a1d355401ca6..99c09d2b8ca1 100644 --- a/security/apparmor/label.c +++ b/security/apparmor/label.c @@ -645,6 +645,7 @@ static bool __label_replace(struct aa_label *old, struct aa_label *new) rb_replace_node(&old->node, &new->node, &ls->root); old->flags &= ~FLAG_IN_TREE; new->flags |= FLAG_IN_TREE; + new->flags |= accum_vec_flags(new->vec, new->size); return true; } @@ -705,6 +706,7 @@ static struct aa_label *__label_insert(struct aa_labelset *ls, rb_link_node(&label->node, parent, new); rb_insert_color(&label->node, &ls->root); label->flags |= FLAG_IN_TREE; + label->flags |= accum_vec_flags(label->vec, label->size); return aa_get_label(label); } @@ -1102,7 +1104,6 @@ static struct aa_label *label_merge_insert(struct aa_label *new, else if (k == b->size) return aa_get_label(b); } - new->flags |= accum_vec_flags(new->vec, new->size); ls = labels_set(new); write_lock_irqsave(&ls->lock, flags); label = __label_insert(labels_set(new), new, false);